OpenStack Services

Ing. Ruben Cordova

Pontifical Catholic University of Peru

1
Outline

1. Web API
1. Application Programming Interface
2. Uniform Resource Identifier
3. JavaScript Object Notation
4. RESTful API
2. Keystone
1. Authentication methods
2. Identity concepts
3. Keystone Elements
3. Glance
1. Architecture
2. Supported Disk Formats

2
Web API

 Application Programming Interface (API)

 Method that allows to communicate between programs/applications
 Two elements
 Syntax: how information is exchanged
 Interface: where information is exchanged (called and published)

 Uniform Resource Identifier

 “Compact sequence of characters that identifies an abstract of physical resource”.
RFC 3986
 Two subsets
 URL: URI that describes resource’s primary access mechanism and its network location
 URN: URI that has persistent significance
3
Web API

 JavaScript Object Notation (JSON)

 Lightweight data-interchange format
 Language independent
 Easy to read and write (humans), and parse and generate (machines)
 Built on two structures
 Collection of name/value pair (i.e. python dictionary)
 Ordered list of values (i.e. python list)

4
Web API

 Representational State Transfer (RESTful API)

 Takes advantages over existing protocols (Web APIs: HTTP)
 Can use different formats (XML, JSON, etc.)
 Characteristics
 Client-Server: separated and allowed to evolve individually and independently
 Stateless: calls made independently and contains data necessary to complete itself
 Cache: on client, stored for certain time to reduce interactions with API
 Uniform Interface: key for allowing the independent evolution of application and client
 Layered System: in API design, gives freedom to move systems in and out of architecture
 Code on Demand: transmit code through API to use in application

5
Keystone

 Enables authentication and management of user accounts and role information of

cloud environment
 Acts as a catalog for all OpenStack services
 Supports multiple forms of authentication
 Login name and password
 Token-based credentials
 REST API log ins
 Store information in MariaDB/MySQL database (alternatively in LDAP)
 Uses Apache web server as front end (replaced keystone service in Mitaka)
 Supports authentication using Kerberos or X.509 certificates (external)
 Integration service: intend to support more authentication methods in the future

6
Keystone Architecture [5]

7
Authentication Methods: Lightweight
Directory Access Protocol [6]
 Protocol for locating and
accessing resources over an IP
network
 Allows searching for a resource
without knowing where they are
located (domain)

8
Authentication Methods: Kerberos [7]

 Network authentication protocol

 Based on tickets
 Authentication using secret-key cryptography
 Characteristics
 Never send password unless encrypted
 Single login per session
 Depends on trusted third-party called Key Distribution Center (KDC)
 Mutual authentication (client and server)

9
Authentication Methods: Kerberos [7]

1. Workstation sends a message to

Authorization Server (AS)
requesting a Ticket Granting Ticket
(TGT)
2. AS verifies user access rights,
creates TGT and session key, and
encrypt results using key derived
from user password

Prompt password and continue if

decryption succeeds

10
Authentication Methods: Kerberos [7]

3. Request sent to Ticket Granting

Service (TGS) containing
authenticator and TGT, both
encrypted with session key
4. TGS decrypts ticket and
authenticator, verifies request and
creates service ticket. Returns
service ticket with 2 copies of
server session key (encrypted with
client and service password)

11
Authentication Methods: Kerberos [7]

5. Client sends service request with

service ticket and authenticator.
Server authenticates request by
decrypting session key and grants
access if ticket and authenticator
match
6. If mutual authentication required,
server replies with authentication
message

12
Authentication Methods: Digital
Signature (Non-Repudiation)

13
https://www.docusign.com/how-it-works/electronic-
signature/digital-signature/digital-signature-faq
Authentication Methods: X.509
Certificate [8]

https://msdn.microsoft.com/en-us/library/ff649801.aspx

1. Client sends message to server

 Message includes client’s credentials signed with private key (paired with public
key in certificate)
 Attach X.509 certificate if service do not store/have access to certificates

14
Authentication Methods: X.509
Certificate [8]

https://msdn.microsoft.com/en-us/library/ff649801.aspx

2. Server validates certificate

 Non-expired
 Consistent information
 Issuing CA (compare signature of client’s certificate with certificate of issuing CA)
 CA did not revoked certificate
15
Authentication Methods: X.509
Certificate [8]

https://msdn.microsoft.com/en-us/library/ff649801.aspx

3. Service uses public key in client’s certificate to verify client’s signature

 Authenticate client
 Ensure data has not been tampered after message was signed

16
Authentication Methods: X.509
Certificate [8]

https://msdn.microsoft.com/en-us/library/ff649801.aspx

4. Service may send back a response back to client

17
Keystone: Identity Concepts

 Authentication
 Confirm identity of a user through validation of supplied credentials
 When validates credentials, issue authentication token (provided in subsequent requests)

 Credentials
 Data that confirm identity of user
 Username and password, username and API key, or authentication token
 Domain (Identity service API v3 entity)
 Collection of projects and users
 Define administrative boundaries for managing identity entities
 Domain administrator can create projects and users, and assign roles to them (within the
domain)
18
Keystone: Identity Concepts

 Endpoint
 Network accessible address (URL) to access services through it
 Three types: internal, public and administration
 Project (previously known as tenant)
 Container that groups/isolates identity objects (network, VMs, users, roles, etc.)
 Region (Identity service API v3 entity)
 General division in OpenStack deployment (i.e. geographical)
 OpenStack environment separated by regions (dedicated API endpoints, but
common Keystone service)

19
Keystone: Identity Concepts

 Role
 Set of allowed operations associated with a user
 Tokens issued by identity service include list of roles
 When called by users, services determine which operation/resource the role grants
access
 Service
 Compute (nova), Object Storage (swift), or Image Service (glance)
 Users access resources and perform operations through service endpoints

20
Keystone: Identity Concepts

 Token
 Alpha-numeric text string
 Enables access to OpenStack APIs and resources
 May be revoked at any time and is valid for finite duration
 User
 Representation of a person, system or service using OpenStack services (API
consumer)
 Access to resources using assigned token (during authentication)
 Can be associated with roles, projects, or both

21
Keystone: Elements

 Fernet
 Secure messaging format designated for use in API tokens
 Fernet tokens are bearer tokens (https://tools.ietf.org/html/rfc6750)
 Any party in possession of the token can use it in any way other party in possession of it
can
 Do not require proof-of-possession
 Characteristics
 Non-persistent: do not need to be stored in a database
 Lightweight: contain minimal identity information and dynamic authorization context
 Symmetric encryption: encrypt payload using AES and sign using SHA
 MessagePacked (serialized format) payload (https://msgpack.org/), then encrypted
and signed as a Fernet Token

22
Keystone: Elements

 Keystone Web Server Gateway Interface (WSGI) service

 Module run in a WSGI-capable web server (i.e. Apache) to provide identity service
 Replacement ‘keystone-all’
 Bootstrapping Identity
 Pre-populate keystone with initial data before it can be used
 System first user, project, domain, service, and endpoint

 Put enough information into system, so it can function through API using normal
authentication flows

23
Glance

 Enable discovery, registry, and retrieval of VM images (Image-as-a-Service

provider)
 REST API: to query VM image metadata and retrieve actual image
 Supports different plugins for image storage
 File system (controller node)
 Swift
 Ceph
 HTTP

24
Glance Architecture [5]

25
Glance Architecture

 Glance-API
 Accepts image API calls (discovery, retrieval, and storage)
 Glance-Registry
 Stores, process and retrieves image metadata (size, type, owner, etc.)

26
Glance: Supported Disk Formats

Type of Disk Description

aki, ami and ari Amazon Kernel Image, Amazon Machine Image, Amazon Ramdisk Image
iso Data contents of optical disk (CD-ROM)
qcow2 Supported by QEMU, supports Copy on Write
raw Unstructured disk format
vdi Supported by VirtualBox and QEMU
vhd Supported by Microsoft, supported by different virtual machine monitors
vmdk Developed by Vmware, supported by many virtual machine monitors

27
Bibliography

1. Daniel Miessler. The Difference Between URLs and URIs

https://danielmiessler.com/study/url-uri/
2. Introducing JSON
https://www.json.org/
3. Musesoft. What is a REST API?
https://www.mulesoft.com/resources/api/what-is-rest-api-design
4. OpenStack. OpenStack Administrator Guide
https://docs.openstack.org/newton/admin-guide/identity-management.html
5. Andrey Markelov. Certified OpenStack Administrator Guide

28
Bibliography

6. IBM. LDAP Authentication Overview

https://www.ibm.com/support/knowledgecenter/en/SSD29G_2.0.0/com.ibm
.swg.ba.cognos.tm1_inst.2.0.0.doc/c_ldapauthentication_n13008d.html
7. Intel. Introduction to Kerberos Authentication
https://software.intel.com/en-us/node/631433
8. Microsoft. Brokered Authentication: X509 PKI
https://msdn.microsoft.com/en-us/library/ff649801.aspx
9. Dolph Mathews. OpenStack Keystone Fernet tokens
http://blog.dolphm.com/openstack-keystone-fernet-tokens/

29